https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36789
Lisette Scheer <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #36 from Lisette Scheer <[email protected]> --- FAIL koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt FAIL filters missing_filter at line 1074 ( var booking_id = [% booking_id.json %];) In order to prevent XSS vulnerabilities all the variables displayed in the templates must be escaped using an appropriate filter. See Bug 13618 for more information. Not all of them are concerned by the vulnerability but to be on the safe side we are going to escape them all. Usually you will want to use the filters provided by TT: html, uri, url, etc. And sometimes we will want to display the variable as it is, i.e. you will want to make the browser interpret the content (HTML or JavaScript), in that case you will explicitly use the raw filter, that does nothing. https://wiki.koha-community.org/wiki/Coding_Guidelines#HTML9:_Filter_all_template_variables There's also 2 tidy warnings, one line each in C4/Circulation.pm & circ/circulation.pl It worked great, and once you add the filter I'm happy to pqa. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
